Awesome tips guys, thank you. I do have mail up and working already, but I'd like to make it secure before I do anything with it. I'm hoping that since it will only be me using for a while a self-signed certificate should do the trick. I know there are really cheap ones, like from namecheap.comthat are $10/year, but it would still be easier to just generate one myself and use that. Am I correct in thinking the implications of doing so would be that it really isn't the best method but the moment it is better than nothing?
On Sat, May 10, 2014 at 5:27 PM, Michael Torrie <[email protected]> wrote: > On 05/10/2014 04:27 PM, Brian J. Rogers wrote: > > I need to setup a mail server but I'd like for it to relatively secure. > > One way to secure it is to only allow access to the SSL ports (SMTPS on > 465, POP3S on 995, IMAPS on 993). But TLS works over the ordinary ports > and the conversation always begins in plain text, and then negotiates > encryption over the same channel. I believe TLS allows a program to > enter and leave encryption, something SSL typically does not. > > Configuring both postfix and dovecot to require TLS before > authentication on the normal ports is possible: > > > http://www.iredmail.org/forum/topic4600-iredmail-support-configuring-postfix-dovecot-to-use-only-ssltls.html > > Another way to secure postfix (well any mail server really) is to only > allow authentication when a user connects to port 587 and uses TLS. > Normal connections for incoming mail on port 25 are unaffected. > Google's outgoing smtp servers are configured this way. > > > http://postfix.1071664.n5.nabble.com/SASL-authentication-on-port-587-only-td22239.html > > > > /* > PLUG: http://plug.org, #utah on irc.freenode.net > Unsubscribe: http://plug.org/mailman/options/plug > Don't fear the penguin. > */ > /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
